Detects suspicious command line reg.exe tool adding key to Autoruns key in Registry
Example:
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "softoz" /t REG_SZ /F /D "C:\Users\admin\AppData\Roaming\sihostt.exe"
Related
common persistance
Reference:
https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22
https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
{{ mitre("T1547.001")}}
Data Source(s): Command
let selection= dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']);
let filter_known = dynamic(['Discord.exe','Skype.exe','LiveChat.exe','Promethean Desktop.exe']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_all (selection)
| where InitiatingProcessFileName !in (filter_known) //Known False-Positive
| where ProcessCommandLine !contains "PaperCut"
//| summarize count(), set_InitiatingProcessFolderPath = make_set(InitiatingProcessFolderPath) by InitiatingProcessFileName, FolderPath, FileName, ProcessCommandLine, TenantId
- Inspect if the software is approved
- Validate the folder path of the initiating process
- Use summarize statement to remove duplication
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord/ Skype/ Other applications
Version 2.0 (date: 09/02/2024)